EasyPark, a mobile and web-based parking app firm that also owns ParkMobile and RingGo, has disclosed a data breach incident impacting the payment details of an undefined number of customers.
EasyPark operates in 2,200 cities across 20 countries, providing customers with a range of parking-related services designed to help clients save money and time by finding available spaces and EV charging points. Customers can reserve, book, and pay for parking spaces online in advance, a convenience for which they have to enter their payment data on the app. The EasyPark app counts 10,000,000 downloads on Google Play alone.
An announcement published on the EasyPark website informs customers that the company suffered a cyberattack that has impacted their personal information. The attack occurred on December 10, 2023, and resulted in the exposure of the following information:
- Full name
- Phone number
- Physical address
- Email address
- Credit/debit card digits
- IBAN (International Bank Account Number) digits
The above data, which EasyPark interestingly calls ‘non-sensitive,’ does not place exposed clients at a direct risk of losing money from unauthorized transactions; however, it could be precious to phishing actors and other scammers looking to carry out targeted attacks.
Not all of the exposed clients have had the above data types exposed due to this security incident, as that depends on what data they had provided to the company, what information they entered on the app, etc.
Impacted EasyPark customers should expect to be individually informed via in-app messages, push notifications, SMS, and an email to the registered address sent from ‘no-reply@hello.easypark.com.’ Those who receive a confirmation of a data breach should reset their account passwords out of an abundance of caution and also change them on other platforms where they might be using the same credentials to avoid credential-stuffing compromises.
EasyPark says its incident response mechanisms were activated immediately upon discovering the attack, and the incident hasn’t had a material impact on its business and operations. Also, the notice clarifies that the incident hasn’t resulted in unauthorized parking transactions.
The data protection authorities in Sweden, the base of EasyPark, as well as the United Kingdom and Switzerland have been notified accordingly. The Swedish authorities should soon announce the launching of investigations on the scope of the data breach and whether it constitutes a violation of the GDPR.
At this time, the exact number of impacted customers remains unspecified. RestorePrivacy has emailed the firm to request a specific number, and we will update this post once we receive a response.